Data Processing Agreement
Version 1.0 — Last updated: 1 March 2026
1. Parties
This Data Processing Agreement ("DPA") is entered into between:
Data Controller:[Enterprise Partner Company Name] ("Controller"), and
Data Processor:AtmosLedger Ltd, registered in England and Wales ("Processor").
2. Purpose of Processing
The Processor processes personal data on behalf of the Controller solely for the purpose of providing carbon footprint calculation services, generating Carbon Passports, and producing compliance reports (CRP, CDP, CSRD, CBAM) for the Controller's supplier companies.
3. Categories of Data Subjects
Employees and authorised representatives of the Controller's supplier companies who are invited to use the AtmosLedger platform.
4. Types of Personal Data
Contact information (name, email address, job title), company information (company name, sector, employee count), and CRP signatory details (name and title of board-level signatory). The Processor does not process special category data.
5. Duration of Processing
Processing continues for the duration of the service agreement between the parties. Upon termination, the Processor will delete all personal data within 30 days unless retention is required by applicable law.
6. Sub-processors
The Processor engages the following sub-processors. The Controller may object to changes by written notice within 14 days.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database hosting and authentication | EU (Frankfurt) |
| Vercel Inc. | Application hosting | EU |
| Stripe Inc. | Payment processing | US (EU SCCs) |
| Resend Inc. | Transactional email delivery | US (EU SCCs) |
A current list is maintained at atmosledger.com/subprocessors.
7. Security Measures
The Processor implements appropriate technical and organisational measures including: encryption in transit (TLS 1.3) and at rest (AES-256), row-level security on all database tables, regular security updates, access logging, and incident response procedures. The Processor will notify the Controller of any personal data breach without undue delay and in any event within 72 hours.
8. Data Subject Rights
The Processor will assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) by providing the necessary tools and data export capabilities within the platform.
9. International Transfers
Where personal data is transferred outside the EEA/UK, the Processor ensures that appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) as approved by the European Commission.
10. Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA upon reasonable notice. The Processor will provide all information necessary to demonstrate compliance with Article 28 of the UK GDPR.
11. Contact
For questions about this DPA or to request a signed copy, contact legal@atmosledger.com.